Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Impact of expired license

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

Security protection on Sophos Firewall requires a Subscribed/Evaluating subscription.

If a subscription is Expired/Unsubscribed, Sophos Firewall can't perform corresponding security protection.

Here is the table of subscription and security features.

Base Firewall Firewall rule, VPN, Wireless Protection, NAT rule, site-to-site RED
Network Protection IPS, ATP, SD-RED device, Security Heartbeat
Web Protection Web Filter, Application Control, Anti-virus
Zero-day Protection Machine Learning, Sandboxing File Analysis, Threat Intelligence
Central Orchestration SD-WAN VPN Orchestration, Central Firewall Reporting Advanced
Email Protection Anti-spam, Anti-virus, DLP, Encryption (SPX), Email Malware Protection
Web Server Protection WAF, Anti-virus, reverse proxy
Enhanced Support It is the minimum subscription for
  • RMA,
  • Sophos Technical Support service and
  • firmware upgrade*.
* It applies to v19.0 MR1 and later. More details in the section Enhanced support, Enhanced plus support
Enhanced Plus Support It provides more benefits than Enhanced support. Details in Sophos Support Service Guide.

Reference: Sophos Firewall > Administration Help > Licensing

Base Firewall

Once Base Firewall becomes Expired/Unsubscribed,

  1. Sophos Firewall stops applying firewall rules and NAT rules on any traffic.
    • All firewall rules stop working, no matter if they’re configured to allow or block traffic.
    • All NAT rules stop working.
    • The following traffic is allowed and has masquerading applied automatically by Sophos Firewall, even if there’s a firewall rule to drop it.
      • from LAN zone to WAN zone
      • from DMZ zone to WAN zone
      • from LAN zone to LAN zone
      • from LAN zone to DMZ zone
      • from DMZ zone to DMZ zone
      • from DMZ zone to LAN zone
      No other traffic except the above can traverse the Sophos Firewall.
  2. No VPN can't be established.
  3. Site-to-site RED can't be established.
  4. AP and wireless network stop working.

It applies to Sophos Firewall v18 and later.

Email Protection

Once Email Protection becomes Expired/Unsubscribed, Sophos Firewall delivers email without anti-spam/antivirus scanning.

It applied to all Sophos Firewall OS versions.

Enhanced support, Enhanced plus support

If both Enhanced support and Enhanced Plus support are expired/unsubscribed,

  • For all Sophos Firewall OS versions, Sophos cannot provide RMA and Technical Support services.
  • For Sophos Firewall OS v19.0 MR1 and later, the firewall has three free firmware upgrades, and further firmware upgrades will only be possible with a valid support subscription. It does not impact the trial license, home use license, or firmware upgrades from the install wizard

Edition history

2022-12-09 updated the section "Enhanced support, Enhanced plus support."

2022-09-29, minor update

2022-07-19, updated for v19.0 MR1

2022-01-14, fixed expired URL

2021-05-31, updated with section "Email protection"

2021-05-24, first release




Updated Links to latest
[edited by: Raphael Alganes at 10:26 AM (GMT -8) on 14 Nov 2024]
Parents
  • What about the other licence modules?
    I thought, that REDs are part of the Base Licence (same as for Wireless Protection). So the connection, ACLs and NAT should work for REDs with the base licence.

    If Network Protection expires (and the base license is stil valid), all rules should still apply and control the traffic. But SOFS won't apply Security Heartbeat, IPS, ATP and SSL/TLS inspection, right?

    My expirience with expired Web Protection was, the Web Proxy was reachable - but didn't apply any rule itself (It was on 17.5 - and long ago. I don't know, whether this is valid).

  • Hello TheMonzel,

    The RED device is part of the Network protection license. So you won’t be able to configure a RED device using only the Base License.

    If the Network Protection expires, you’ll be able to configure any module but it won't be enforced.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data